### Authentication

You must provide an ACL token linked to a policy with `acl:write` permissions to create and modify ACL tokens and policies using the CLI or API.

You can provide the token manually using the `-token` option on the command line, but we recommend setting the `CONSUL_HTTP_TOKEN` environment variable to simplify your workflow:

```shell-session
$ export CONSUL_HTTP_TOKEN=<acl-token-secret-id>
```

The Consul CLI automatically reads the `CONSUL_HTTP_TOKEN` environment variable so that you do not have to pass the token to every Consul CLI command.

To authenticate calls to the Consul HTTP API, you must provide the token in the `X-Consul-Token` header for each call:

```shell-session
$ curl --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" ...
```

To learn about alternative ways to authenticate, refer to the following documentation:

* [CLI Authentication](/consul/commands#authentication)
* [API Authentication](/consul/api-docs/api-structure#authentication)
